commit bc4903cfc58d75b989274b84d4c18a128f332a60
author Inseob Kim <inseob@google.com> Wed Jul 26 05:11:55 2023 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Jul 26 05:11:55 2023 +0000
tree 8aa999ae0b1031cc41d2ec516cb010e1651d6973
parent 321c0252599f525833bea20d9b3b7e3f1d0edee1
parent 45e4f38df0222b1bc6dfc4b2bf2d1b6c71ef7859

[automerger skipped] Check preinstalled app's partition am: be36d71068 am: 44b95e92a7 am: 5ad7961fff am: b777ba8580 am: 45e4f38df0 -s ours

am skip reason: Merged-In I6ed125eff392020ace6686514e0a102dab1fb10f with SHA-1 dc9f3516d7 is already in history

Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2670896

Change-Id: I56fde84cc24aa611530d254910a0ecc4f02c3681
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

libselinux/src/android/android_seapp.c

diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c
index db7bd0b..c0f6eb2 100644
--- a/libselinux/src/android/android_seapp.c
+++ b/libselinux/src/android/android_seapp.c
@@ -702,9 +702,10 @@
 	return false;
 }
 
-static bool check_preinstalled_app_partition(const char *spec, const char *app) {
+static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) {
 	// We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy.
-	return !is_platform(spec) && is_platform(app);
+	// So, either the app shouldn't be platform, or the spec should be platform.
+	return !(is_platform(app_partition) && !is_platform(app_policy));
 }
 
 
@@ -896,14 +897,6 @@
 		}
 
 		if (cur->levelFrom != LEVELFROM_NONE) {
-			if (isPreinstalledApp
-					&& !check_preinstalled_app_partition(cur->partition, partition)) {
-				// TODO(b/280547417): make this an error after fixing violations
-				selinux_log(SELINUX_ERROR,
-					"%s:  App %s preinstalled to %s can't be labeled with %s sepolicy",
-					__FUNCTION__, pkgname, partition, cur->partition);
-			}
-
 			int res = set_range_from_level(ctx, cur->levelFrom, userid, appid);
 			if (res != 0) {
 				return res;
@@ -913,6 +906,14 @@
 				goto oom;
 		}
 
+		if (isPreinstalledApp
+				&& !is_preinstalled_app_partition_valid(cur->partition, partition)) {
+			// TODO(b/280547417): make this an error after fixing violations
+			selinux_log(SELINUX_ERROR,
+				"%s:  App %s preinstalled to %s can't be labeled with %s sepolicy",
+				__FUNCTION__, pkgname, partition, cur->partition);
+		}
+
 		break;
 	}